NRC FORM 464 Part l(OIG) 

U.S. NUCLEAR REGULATORY COMMISSION 

NRC 

RESPONSE NUMBER 

{09-2018) 

RESPONSE TO FREEDOM OF 

2019-000322 

2 

INFORMATION ACT (FOIA) REQUEST 


;rim final 

REQUESTER: 

DATE: 

Emma Best 

Q-io-lQ 


DESCRIPTION OF REQUESTED RECORDS: 


Records, during the time period, January 1, 1996 through June 30,2016, mentioning or describing audits, reviews, 
investigations, or reports regarding the state of the agency's cybersecurity program vis-a-vis potential attacks, or audits or 
investigations conducted in the wake of a suspected or actual cyber attack, hacking incident or breach. 


PART I. -- INFORMATION RELEASED 

0 The NRC has made some, or all, of the requested records publicly available through one or more of the following means: 

(1) https://www.nrc.gov : (2) public ADAMS, https://www.nrc.gov/reading-rm/adams.html : (3) microfiche available in the NRC Public 
Document Room; or FOIA Online, https://foiaonline.regulations.gov/foia/action/public/home . 


I I Agency records subject to the request are enclosed 

□ 

□ 

0 


Records subject to the request that contain information originated by or of interest to another Federal agency have been referred to 
that agency (See Part I.D - Comments) for a disclosure determination and direct response to you. 

We are continuing to process your request. 

See Part I.D - Comments. 


PART LA - FEES 


AMOUNT 


I I You will be billed by NRC for the amount indicated. 
I I You will receive a refund for the amount indicated. 

I I Fees waived. 


0 

□ 


Since the minimum fee threshold was not 
met. you will not be charged fees. 

Due to our delayed response, you will not be 
charged search and/or duplication fees that 
would othen^/ise be applicable to your request. 


PART I.B - INFORMATION NOT LOCATED OR WITHHELD FROM DISCLOSURE 

I I We did not locate any agency records responsive to your request. Note: Agencies may treat three discrete categories of law 
•—* enforcement and national security records as not subject to the FOIA ("exclusions"). See 5 U.S.C. 552(c). This is a standard 
notification given to all requesters; It should not be taken to mean that any excluded records do, or do not, exist. 

0 We have withheld certain information pursuant to the FOIA exemptions described, and for the reasons stated, In Part II. 

I I Because this is an interim response to your request, you may not appeal at this time. We will notify you of your right to appeal any of 
'—' the responses we have Issued In response to your request when we Issue our final determination. 

You may appeal this final determination within 90 calendar days of the date of this response. If you submit an appeal by mail. 

'—I address It to the FOIA Officer, at U.S. Nuclear Regulatory Commission, Mail Stop T-2 F43, Washington, D.C. 20555-0001. You may 
submit an appeal by e-mail to FOIA.resource@nrc.gov . You may fax an appeal to (301) 415-5130. Or you may submit an appeal 
through FOIA Online, https://foiaonline.regulations.gov/foia/action/public/home . Please be sure to include on your submission that it 
is a “FOIA Appeal." 


PART LC - REFERENCES AND POINTS OF CONTACT 

You have the right to seek assistance from the NRC’s FOIA Public Liaison by submitting your inquiry at 
https://www.nrc.gov/reading-rm/foia/contact-foia.html . or by calling the FOIA Public Liaison at (301) 415-1276. 


If we have denied your request, you have the right to seek dispute resolution services from the NRC's Public Liaison or the Office of 
Government Information Services (OGIS). To seek dispute resolution services from OGIS, you may e-mail OGIS at OQis@nara.gov . send 
a fax to (202) 741-5789, or send a letter to: Office of Government Information Services, National Archives and Records Administration, 
8601 Adelphi Road, College Park, MD 20740-6001. For additional information about OGIS, please visit the OGIS website at 
https://www.archives.gov/ogis . 
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PART I.D - COMMENTS 


In our interim response to you, dated August 7, 2019, we identified the audit reports responsive to your request, which the 
Office of Inspector General had already posted to the NRC website at https://www.nrc.gov/reading-rm/doc-collections/insp- 
gen/. Included among the listed audit reports were three audit reports that had portions redacted; 

OIG-05-A-21, Independent Evaluation of NRC's Implementation of the Federal Information Security Management 
Act (FISMA) for FY2005 

OIG-09-A-11, Evaluation Report; Information System Security Evaluation of the Technical Training Center- 
Chattanooga, TN 

OIG-10-A-18, Assessment of NRC's Wireless Devices 

During the review of OIG-09-A-11, one additional responsive audit report was identified, OIG-06-A-19, Computer Security 
Audit of the Technical Training Center - Chattanooga, TN, which had not previously been posted to the NRC website. 

In coordination with subject matter experts in various program offices, we have determined that these four audit reports may 
now be released in their entirety. In addition to posting these complete reports to the NRC website, copies are enclosed. 

Finally, with respect to OIG-18-A-14, External Vulnerability Assessment and Penetration Test, which we had identified in our 
interim response as responsive to your request, but had not been posted to the NRC website, we have re-reviewed this 
audit report and determined that certain portions may now be released. However, certain portions of the report remain 
sensitive and, accordingly, will be withheld for the reasons stated in Part II. 

This concludes our processing of your request. We appreciate your patience. 
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RESPONSE TO FREEDOM OF 
INFORMATION ACT (FOIA) REQUEST 


PART II.A « APPLICABLE EXEMPTIONS 


Records subject to the request are being withheld in their entirety or in part under the FOIA exennption(s) as indicated below (5 U.S.C. 552(b)). 

I I Exemption 1: The withheld information is properly classified pursuant to an Executive Order protecting national security information. 

I I Exemption 2: The withheld information relates solely to the internal personnel rules and practices of NRC. 

I I Exemption 3: The withheld information is specifically exempted from public disclosure by the statute indicated. 

I I Sections 141-145 of the Atomic Energy Act, which prohibits the disclosure of Restricted Data or Formerly Restricted Data (42 U.S.C. 2161-2165). 

I I Section 147 of the Atomic Energy Act, which prohibits the disclosure of Unclassified Safeguards Information (42 U.S.C. 2167). 

□ 41 U.S.C. 4702(b), which prohibits the disclosure of contractor proposals, except when incorporated into the contract between the agency and the 

submitter of the proposal. 

I I Other: 

□ Exemption 4: The withheld information is a trade secret or confidential commercial or financial information that is being withheld for the reason(s) 
indicated. 

□ The information is considered to be proprietary because it concerns a licensee's or applicant's physical protection or material control and 
accounting program for special nuclear material pursuant to 10 CFR 2.390(d)(1). 

I I The information is considered to be another type of confidential business (proprietary) information. 

I I The information was submitted by a foreign source and received in confidence pursuant to 10 CFR 2.390(d)(2). 

|~/~| Exemption 5: The withheld information consists of interagency or intraagency records that are normally privileged in civil litigation. 

|~/~| Deliberative process privilege. 

I I Attorney work product privilege. 

I I Attorney-client privilege. 

□ Exemption 6: The withheld information from a personnel, medical, or similar file, is exempted from public disclosure because its disclosure would result 
in a clearly unwarranted invasion of personal privacy. 

|~/~| Exemption 7: The withheld information consists of records compiled for law enforcement purposes and is being withheld for the reason(s) indicated. 

I I (A) Disclosure could reasonably be expected to interfere with an open enforcement proceeding. 

I I (C) Disclosure could reasonably be expected to constitute an unwarranted invasion of personal privacy. 

I I (D) The information consists of names and other information the disclosure of which could reasonably be expected to reveal identities of confidential sources. 

0 (E) Disclosure would reveal techniques and procedures for law enforcement investigations or prosecutions, or guidelines that could reasonably be expected to 
risk circumvention of the law. 

|~/~| (F) Disclosure could reasonably be expected to endanger the life or physical safety of an individual. 

I I Other 

PART II.B « DENYING OFFICIAL 


In accordance with 10 CFR 9.25(g)(1) of the U.S. Nuclear Regulatory Commission regulations, the official listed below has made the 
determination to withhold certain information, described below, responsive to your request. 


DENYING OFFICIAL 

TITLE/OFFICE 

RECORDS DENIED 

APPELLATE OFFICIAL 

Rocco Pierri 

Assistant Inspector General for 
Investigations 

Audit recommendations; techniques and 
system vulnerabilities 

Inspector General 
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